APT28 Accelerates Cyberattacks with PRISMEX Malware Targeting Ukraine and NATO Allies
In a significant escalation of cyber warfare, the Russian threat actor known as APT28, also referred to as Forest Blizzard or Pawn Storm, has launched a new spear-phishing campaign aimed at Ukraine and its allies. This operation seeks to deploy a previously undocumented malware suite codenamed PRISMEX, which integrates advanced techniques for evading detection and executing malicious commands.
Overview of APT28’s Campaign
The PRISMEX malware suite employs sophisticated methods such as steganography, Component Object Model (COM) hijacking, and the exploitation of legitimate cloud services for command-and-control (C2) operations. Trend Micro researchers Feike Hacquebord and Hiroyuki Kakara noted that this campaign has been active since at least September 2025, targeting a wide array of sectors in Ukraine, including central executive bodies, hydrometeorology, defense, and emergency services. Additionally, it has extended its reach to rail logistics in Poland, maritime and transportation sectors in Romania, Slovenia, and Turkey, as well as logistical support partners involved in ammunition initiatives in Slovakia and the Czech Republic, along with military and NATO partners.
Rapid Exploitation of Vulnerabilities
One of the most alarming aspects of this campaign is the rapid weaponization of newly disclosed vulnerabilities, specifically CVE-2026-21509 and CVE-2026-21513. These exploits were utilized to breach targeted entities, with infrastructure preparations noted as early as January 12, 2026, just two weeks prior to the public disclosure of the former vulnerability. This pattern suggests that APT28 had advanced knowledge of these vulnerabilities before they were made public.
In late February 2025, Akamai reported that APT28 may have weaponized CVE-2026-21513 as a zero-day exploit based on a Microsoft Shortcut (LNK) vulnerability. This exploit was uploaded to VirusTotal on January 30, 2026, well ahead of Microsoft’s Patch Tuesday update on February 10, 2026, which addressed the issue.
Two-Stage Attack Chain
The overlap between the two vulnerabilities has raised concerns about the possibility of a sophisticated two-stage attack chain. The domain “wellnesscaremed[.]com” has been identified as a commonality between campaigns exploiting both vulnerabilities. The first vulnerability, CVE-2026-21509, compels the victim’s system to retrieve a malicious .LNK file, which subsequently exploits CVE-2026-21513 to bypass security features and execute payloads without user warnings.
The culmination of these attacks results in the deployment of either MiniDoor, an Outlook email stealer, or the interconnected malware components of PRISMEX. The suite is named for its use of steganographic techniques to conceal payloads within image files. Key components of PRISMEX include:
-
PrismexSheet: A malicious Excel dropper that utilizes VBA macros to extract payloads embedded within the file, establishing persistence through COM hijacking, and displaying a decoy document related to drone inventory lists after macros are enabled.
-
PrismexDrop: A native dropper that prepares the environment for further exploitation, employing scheduled tasks and COM DLL hijacking for persistence.
-
PrismexLoader (also known as PixyNetLoader): A proxy DLL that extracts the next-stage .NET payload from a PNG image’s file structure using a custom “Bit Plane Round Robin” algorithm, executing it entirely in memory.
-
PrismexStager: A COVENANT Grunt implant that utilizes Filen.io cloud storage for C2 operations.
Historical Context and Implications
Some elements of this campaign were previously documented by Zscaler ThreatLabz under the name Operation Neusploit. APT28’s use of COVENANT, an open-source command-and-control framework, was first highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. PrismexStager is considered an evolution of MiniDoor and NotDoor (also known as GONEPOSTAL), a Microsoft Outlook backdoor deployed by the group in late 2025.
In at least one incident in October 2025, the COVENANT Grunt payload was found to facilitate not only information gathering but also to execute a destructive wiper command that erases all files under the “%USERPROFILE%” directory. This dual capability suggests that these campaigns may be designed for both espionage and sabotage.
Strategic Intent
Trend Micro emphasized that this operation illustrates APT28’s status as one of the most aggressive Russia-aligned intrusion sets. The targeting pattern indicates a strategic intent to compromise the supply chain and operational planning capabilities of Ukraine and its NATO partners. The focus on disrupting supply chains, weather services, and humanitarian corridors supporting Ukraine marks a troubling shift toward operational disruption, potentially foreshadowing more destructive activities.
For further insights into this evolving threat landscape, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
